Author Topic: Find the IP of those who rooted my server (Read 868 times)

Archlnx · « **on:** April 22, 2015, 04:07:48 pm »

Hi, I was curious if there was any way of being able to tell who has rooted my server? This person was able to get ssh access and I would like to find the users IP or set up almost a honey pot type of thing on the server to possibly catch whoever it is (even though the chances are very high they had a VPN on?) If that isn't possible I would still like to manage to get root access back and any back doors that may of been installed taken off. Any advice or help I'd appreciate!

Phage · « **Reply #1 on:** April 22, 2015, 04:17:04 pm »

Would've been great with some more information...

Here's where to check for ssh logins.

Ubuntu:

Code: [Select]

/var/log/auth
RedHat:

Code: [Select]

/var/log/secure
Also, to re-gain access, simply open the console at your host provider. If you don't feel like going through your current server's security (which you should), you can simply install a fresh image of whatever distro you'd like.

Archlnx · « **Reply #2 on:** April 22, 2015, 04:33:50 pm »

Sorry I'll try to be a little more specific. My server OS is CentOS, it's a VPS server, and I'm almost a hundred percent sure there's a back door. My server name changed to 'jailroot' after it happened.. I checked the history log and they had to of entered at least 200+ commands on there. But thank you for the response, I will reinstall a new image.

EvilZone

News:

Author Topic: Find the IP of those who rooted my server (Read 868 times)

Archlnx

Find the IP of those who rooted my server

Phage

Re: Any way to find the IP rooted server?

Archlnx

Re: Any way to find the IP rooted server?